On Mon, 2010-12-13 at 10:41 +0000, Graeme Fowler wrote:
> Now... again, poor little dumb brain time again: Why do we need Exim to
> be setuid root? Presumably this is so it can change user when invoked to
> do local deliveries as the right user (amongst myriad other things).
Yeah. There are plenty of other MTAs with a split process setup where
only the *delivery* agent actually has root privileges. The *transport*
program doesn't need them.
The problem is that those are the fairly feature-poor MTAs. If you just
need to specify the mbox/maildir/etc location and spawn a process as
root to "append to this mailbox", then that's simple enough to split
out.
But Exim is far more capable than that, and can run Sieve and Exim
filter files as the user in question, processing autoreply and more
complex stuff. And the filters will expect to see certain variables
which were set during the delivery process ($original_local_part etc.).
But fundamentally, yes. Exim is keeping its root privs while it does all
that 'generic' stuff, just so that it can later give them away by
becoming the actual user it wants to deliver to.
It would be an interesting exercise to see how much we could reduce what
Exim does as root when setting up for a delivery run. If we could get to
the point where it doesn't need to interpret the config at all, but is
handed everything it needs for that specific delivery 'on a plate', then
that might be interesting. Although of course if you pass it information
by some other means you still have the question of why it should *trust*
what it's being told...
Given the versatility we have in message deliveries, even local
delivery, I don't think it's massively practical to change the design.
--
dwmw2